I am doing a research on how ITIL can reduce business risk related to IT services. I have read quite a few literature on both ITIL and risk and I cannot find any evidence to prove the relationship between ITIL and risk. There are of course theories made, but no substantial evidence to prove the theories.

Has anyone come across any article or paper on the relationship between ITIL and business risk?

Hmm, I've not come across any papers myself. You may want to dig through past conference papers of the itSMF.

I think it's fair to say that any process methodology (ITIL included) will help reduce/mitigate risk because they force a level of control over changes and forethought of what may go wrong, backout plans etc. where previously there may have been none.

In terms of ITIL I think that Change, Release, and Service Continuity are the main processes that will indeed reduce/mitigate risk.

If I come across anything that backs up my personal view (or otherwise) I'll let you know.

Risk Management - Identifying and using countermeasures to assist in reducing risks to a manageable (acceptable) level.

ITSCM also bases it's recomendations upon risk analysis carried out both by the Business in order to identify the VBF (Vital business Functions) and by ITSCM during the second stage of ITSCM implementation (Requirements and Strategy)

ITSCM essentially uses the as availability (Analysis and Management) but for some reason calls it Requirements and strategy instead.

Use the ITIL Risk assesment model and the Risk Measurement Table for visual representations of Vunerabilities and risks.

And remember Risk and Vunerability assesments should be an iterative process, as the business grows (or shrinks) risk assesments should be carried out to cater for the ever changing business requirements._________________Humor is a rubber sword - it allows you to make a point without drawing blood.